src/lxc/lsm/selinux.c

   1 /*
   2  * lxc: linux Container library
   3  *
   4  * Copyright © 2013 Oracle.
   5  *
   6  * Authors:
   7  * Dwight Engen <dwight.engen@oracle.com>
   8  *
   9  * This library is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU Lesser General Public
  11  * License as published by the Free Software Foundation; either
  12  * version 2.1 of the License, or (at your option) any later version.
  13  *
  14  * This library is distributed in the hope that it will be useful,
  15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  17  * Lesser General Public License for more details.
  18  *
  19  * You should have received a copy of the GNU Lesser General Public
  20  * License along with this library; if not, write to the Free Software
  21  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  22  */
  23
  24 #include <errno.h>
  25 #include <stdlib.h>
  26 #include <sys/types.h>
  27 #include <unistd.h>
  28 #include <selinux/selinux.h>
  29
  30 #include "log.h"
  31 #include "lsm/lsm.h"
  32 #include "conf.h"
  33
  34 #define DEFAULT_LABEL "unconfined_t"
  35
  36 lxc_log_define(lxc_lsm_selinux, lxc);
  37
  38 /*
  39  * selinux_process_label_get: Get SELinux context of a process
  40  *
  41  * @pid     : the pid to get, or 0 for self
  42  *
  43  * Returns the context of the given pid. The caller must free()
  44  * the returned string.
  45  *
  46  * Note that this relies on /proc being available.
  47  */
  48 static char *selinux_process_label_get(pid_t pid)
  49 {
  50         security_context_t ctx;
  51         char *label;
  52
  53         if (getpidcon_raw(pid, &ctx) < 0) {
  54                 SYSERROR("failed to get SELinux context for pid %d", pid);
  55                 return NULL;
  56         }
  57         label = strdup((char *)ctx);
  58         freecon(ctx);
  59         return label;
  60 }
  61
  62 /*
  63  * selinux_process_label_set: Set SELinux context of a process
  64  *
  65  * @label   : label string
  66  * @conf    : the container configuration to use @label is NULL
  67  * @default : use the default context if label is NULL
  68  * @on_exec : the new context will take effect on exec(2) not immediately
  69  *
  70  * Returns 0 on success, < 0 on failure
  71  *
  72  * Notes: This relies on /proc being available.
  73  */
  74 static int selinux_process_label_set(const char *inlabel, struct lxc_conf *conf,
  75                                      int use_default, int on_exec)
  76 {
  77         const char *label = inlabel ? inlabel : conf->lsm_se_context;
  78         if (!label) {
  79                 if (use_default)
  80                         label = DEFAULT_LABEL;
  81                 else
  82                         return -1;
  83         }
  84         if (!strcmp(label, "unconfined_t"))
  85                 return 0;
  86
  87         if (on_exec) {
  88                 if (setexeccon_raw((char *)label) < 0) {
  89                         SYSERROR("failed to set new SELinux exec context %s", label);
  90                         return -1;
  91                 }
  92         } else {
  93                 if (setcon_raw((char *)label) < 0) {
  94                         SYSERROR("failed to set new SELinux context %s", label);
  95                         return -1;
  96                 }
  97         }
  98
  99         INFO("changed SELinux%s context to %s", on_exec ? " exec" : "", label);
 100         return 0;
 101 }
 102
 103 static struct lsm_drv selinux_drv = {
 104         .name = "SELinux",
 105         .enabled           = is_selinux_enabled,
 106         .process_label_get = selinux_process_label_get,
 107         .process_label_set = selinux_process_label_set,
 108 };
 109
 110 struct lsm_drv *lsm_selinux_drv_init(void)
 111 {
 112         if (!is_selinux_enabled())
 113                 return NULL;
 114         return &selinux_drv;
 115 }